A federal judge dismissed Apple’s claim that virtualization startup Corellium was involved in copyright infringement and violated the DMCA.
On Tuesday, Apple Inc. received a big setback. The company had filed a lawsuit against the virtualization software provider and cybersecurity firm Corellium back in August 2019. The iPhone maker claimed that Corellium’s product infringed its copyright. Later, the company added that Corellium’s product also violated the Digital Millenium Copyright Act (DMCA).
However, judge Rodney Smith dismissed the lawsuit, citing that Apple Inc. couldn’t come up with a valid legal ground to back its claims for protecting its iOS from security researchers. Apple hasn’t yet released any statement to respond to the ruling.
According to the docket [PDF] filed today, the Court couldn’t find any evidence of a ‘lack of good faith and fair dealing.’
“Having reviewed the evidence, the Court does not find a lack of good faith and fair dealing. Further, weighing all the necessary factors, the Court finds that Corellium has met its burden of establishing fair use. Thus, its use of iOS in connection with the Corellium Product is permissible. On these grounds, Corellium’s Motion for Summary Judgment is granted on Apple’s copyright claim.”
What is Corellium?
Corellium is a cybersecurity firm offering virtualized iOS software for security testing. Through its products, security researchers can spin up a virtualized ARM device and iOS devices in a browser to closely inspect it for discovering potential security flaws.
For instance, Corellium product can help a security researcher fire up a simulated iPhone, and if a bug is found, they can load previous iOS versions to check how long the bug has been there.
Judge Rodney Smith ruled that Corellium’s software was designed to identify security flaws in Apple software, and therefore, it was ‘fair use’ of the copyrighted material.
“From the infancy of copyright protection, courts have recognized that some opportunity for fair use of copyrighted materials is necessary to fulfill copyright’s purpose of promoting ‘the progress of science and useful arts,'” the Florida judge wrote.
According to the judge, Corellium’s conduct was fair while performing activities like viewing and halting running processes, modifying the kernel, using the CoreTrace tool for viewing system calls, taking live snapshots, and using an app browser or a file browser to check whether the product is a repackaged iOS version or not.
“There is evidence in the record to support Corellium’s position that its product is intended for security research and, as Apple concedes, can be used for security research. Further, Apple itself would have used the product for internal testing had it successfully acquired the company.”
Judge Smith further wrote that Corellium’s tool offered features that actually strengthened its claim for fair use.
“Corellium makes several changes to iOS and incorporates its own code to create a product that serves a transformative purpose. Hence, Corellium’s profit motivation does not undermine its fair use defense, particularly considering the public benefit of the product.”
Apple’s Loss is Researchers’ Gain
Apple argued that Corellium was involved in its authentication server’s circumvention and secure boot chain, which violated the DMCA. The DMCA has banned the circumvention of copy protection measures.
It is worth noting that though the judge dismissed Apple’s other claims, not the DMCA charges, particularly because Corellium couldn’t defend the DMCA-related allegations properly. The judge deferred the ruling on the DMCA charge.
Still, the dismissal of Apple’s other claim is a significant setback for the company.
"Corellium, a security research firm sued by Apple, has won a major legal victory against the iPhone maker. A federal judge in Florida threw out Apple’s claims that Corellium violated copyright law with its software, which helps security researchers find bugs and security holes." https://t.co/pdUFbDHBHj
— Corellium (@CorelliumHQ) December 29, 2020
However, the ruling may have implications for researchers who identify bugs and vulnerabilities in the iOS system. If the verdict is upheld, it would be a victory for security researchers facing criminal or civil penalties for reproducing copyrighted software to find bugs.
It will also restrict Apple’s efforts to maintain full control of the iOS operating system and force third parties to use its own designed proprietary security research tools.